Enforce policy before resource.validate

We make client calls in resource.validate for number of
resource plugins to check constraints or custom validations.
However, we're enforcing resource policies after validate
that results in unnecessary client calls and 'unauthorized'
errors from the service.

Change-Id: I37c22027115beded4ea9585729a97882c961fad0
Closes-Bug: #1627706
This commit is contained in:
rabi 2016-09-26 13:03:00 +05:30
parent bc6fa5dedf
commit ada0a1a970
2 changed files with 3 additions and 2 deletions

View File

@ -697,6 +697,7 @@ class EngineService(service.Service):
parent_resource=parent_resource_name,
**common_params)
self.resource_enforcer.enforce_stack(stack)
self._validate_deferred_auth_context(cnxt, stack)
stack.validate()
# For the root stack print a summary of the TemplateResources loaded
@ -735,7 +736,6 @@ class EngineService(service.Service):
args,
convergence=conv_eng)
self.resource_enforcer.enforce_stack(stack)
return api.format_stack_preview(stack)
@context.request_context
@ -801,7 +801,6 @@ class EngineService(service.Service):
stack_user_project_id, convergence, parent_resource_name,
template_id)
self.resource_enforcer.enforce_stack(stack)
stack_id = stack.store()
if cfg.CONF.reauthentication_auth_method == 'trusts':
stack = parser.Stack.load(

View File

@ -24,6 +24,7 @@ from heat.common import context
from heat.common import environment_util as env_util
from heat.common import exception
from heat.common import identifier
from heat.common import policy
from heat.common import template_format
from heat.engine.cfn import template as cfntemplate
from heat.engine import environment
@ -1165,6 +1166,7 @@ class StackServiceTest(common.HeatTestCase):
@mock.patch.object(service.api, 'format_stack_preview', new=mock.Mock())
@mock.patch.object(service.parser, 'Stack')
def test_preview_stack_checks_stack_validity(self, mock_parser):
self.patchobject(policy.ResourceEnforcer, 'enforce_stack')
exc = exception.StackValidationFailed(message='Validation Failed')
mock_parsed_stack = mock.Mock()
mock_parsed_stack.validate.side_effect = exc